semantic-release "EGITHUBBADTOKENSCOPE" wrong token scope in CI
The @semantic-release/github plugin checked the scopes on your GitHub token and found they are insufficient to create releases and push. The token authenticates but is missing the repo/write scope required to operate.
What this error means
The run fails with "EGITHUBBADTOKENSCOPE The GitHub token configured in the GH_TOKEN or GITHUB_TOKEN environment variable doesn't allow to push".
semantic-release
[semantic-release] > EGITHUBBADTOKENSCOPE The GitHub token doesn't have the required permissions.
The GitHub token configured in the GH_TOKEN or GITHUB_TOKEN environment variable must have
the required permissions to push on the repository owner/repo.Common causes
A fine-grained PAT missing the Contents permission
A fine-grained token was created without the Contents: read and write permission, so the scope check fails.
A classic PAT without the repo scope
A classic personal access token that only has read-only scopes cannot create releases or push.
How to fix it
Regenerate the PAT with the right scope
- For a classic PAT, enable the
reposcope. - For a fine-grained PAT, grant Contents write and Pull requests / Issues as needed.
- Update the secret and re-run the release.
Use a GitHub App installation token
A GitHub App token scoped to the repo with contents write avoids classic-PAT scope pitfalls.
.github/workflows/release.yml
- uses: actions/create-github-app-token@v1
id: apptoken
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}How to prevent it
- Grant Contents write when creating fine-grained tokens for releases.
- Prefer a GitHub App token for least-privilege, auto-rotating auth.
- Document the exact scopes the release token needs.
Related guides
semantic-release "EGITNOPERMISSION" cannot push to the repository in CIFix semantic-release "EGITNOPERMISSION The push permission to the Git repository is required" in CI - the tok…
semantic-release push to protected branch rejected in CIFix semantic-release push rejected by a protected branch rule in CI - the default GITHUB_TOKEN cannot bypass…
semantic-release "ENOGHTOKEN" no GH_TOKEN or GITHUB_TOKEN in CIFix semantic-release "ENOGHTOKEN No GitHub token specified" in CI - the @semantic-release/github plugin found…